Everyone says you should’ve build your own blogging platform, because then all you’ll ever write about is the platform itself and no one wants to read that. It’s a fairly accurate idea, unfortunately. In my defence, I’m actually finding that having my own blogging (and photo) platform is saving me lots of time on things like copying photos to Commons and finding duplicates — so even if no one reads any of this, it’s still been worth making this thing.

Anyway, one of the reasons I’ve always avoided building my own platform is that I’ve been worried about security. I’m feeling a bit better on that front now, because of using a bunch of common Symfony patterns and libraries, and also now because I’ve added two-factor authentication to it.

This means that, after registering a new account and logging in, users are not able to view any page on the site until they’ve set up 2FA. Instead, they’re presented with a QR code, which they scan with a phone app such as Google Authenticator, and that app gives them a six-digit code that is entered in a text box under the QR code. This info is saved against their user account (and for simplicity, it’s only possible to have one such pairing at the moment), and next time they log in they need to provide three pieces of information: their username, password, and a six-digit code from the app.

There are plenty of issues with my implementation: it forces 2FA; doesn’t have backup codes; doesn’t allow multiple devices; can’t easily be reset; and the login flow is likely quite confusing. I’m happy enough at the moment because none of these are security issues, and I’ll slowly work my way through fixing them. Primarily, I wanted to make the site more secure, and as all the users are either me or people I know personally, I can handle any usability issues.

I think this is one of the great things about indieweb development: you build what you need, as you need it, and you don’t have to cater to some unknown simplified user. I do try to build everything here as general and reusable as possible (such that it should be possible for someone to set up their own Twyne-powered site, although I dare say that’s reasonably unlikely), but I no longer think it’s worth compromising on features that I actually want.